return "ok" if the certificate exists in the database and is not revoked

return "revoked" if the certificate exists in the database and is revoked

return "unknown" if the certificate does not exist in the database

It should be possible to configure:

return "ok" if the certificate exists in the database and is not revoked

return "revoked" if the certificate exists in the database and is revoked

return "ok" if the certificate does not exist in the database

It should be possible to configure:

return "ok" if the certificate exists in the database and is not revoked

return "revoked" if the certificate exists in the database and is revoked

return "revoked" if the certificate does not exist in the database

In the last case the transaction/audit log entry must still show that the certificate did not exist in the database. This is needed so that the OCSP responder can be monitored for queries for unknown certificates, as this can indicate rogue issuance.

This issue should also add the OCSP responder response extension, if "revoked" is returned for an unknown certificate.

----- RFC6960
4.4.8. Extended Revoked Definition

This extension indicates that the responder supports the extended
definition of the "revoked" status to also include non-issued
certificates according to Section 2.2. One of its main purposes is
to allow audits to determine the responder's type of operation.
Clients do not have to parse this extension in order to determine the
status of certificates in responses.

This extension MUST be included in the OCSP response when that
response contains a "revoked" status for a non-issued certificate.
This extension MAY be present in other responses to signal that the
responder implements the extended revoked definition. When included,
this extension MUST be placed in responseExtensions, and it MUST NOT
appear in singleExtensions.